Insights

Healthcare IT Update: Key Considerations for Data Security Threats

Healthcare and regulatory partner Julia Hesse recently led a discussion on data security threats at HIMSS17 - the annual Healthcare Information Management Systems Society conference. Here are the key take-aways from her presentation.

Data Security: Threat Assessment in the Ransomware Age

The “internet of things” and connected devices are drastically increasing risk of malicious cyberattack. Why?

  • Any device that is connected to a provider’s network can be used as an entry point.
  • The HIMSS17 floor featured connected devices ranging from patient engagement systems and virtual-reality enhanced imaging to internet connected lightbulbs.
  • Consumer and standard commercial products sold to hospital entities also a potential threat (TV, HVAC, copier/printer)
  • Security specialists have found that providers are not aware of (and not tracking, security patching or inventorying) about 40% of the devices connected to that provider’s network.

Ransomware attacks are real, and pose an immediate threat to providers and vendors of all sizes. Why?

  • Federal regulators estimate that 4,000 ransomware attacks were made on U.S. hospitals each day of calendar year 2016.
  • Ransomware is available for free, to anyone who seeks it on the dark web.
  • Ransomware propagates through a system laterally and encrypts all data it finds.
  • Encryption protocols are so advanced that it is virtually impossible to break the encryption code.
  • Vendors whose software and systems are used as the entry point for an attack will be subject to negligence and other tort claims if their security protocols are insufficient.
  • An entity’s best defense is to have a robust and immediately available back-up system to rely on in the case of attack.

Consider obtaining SAFETY Act certification for your organization’s programs or systems – and requiring your software vendors to obtain it. Why?

  • The SAFETY Act allows organizations to seek certification from the Department of Homeland Security that the service or product meets defined security standards.
  • It eliminates or minimizes tort liability for organizations that have received SAFETY Act certification in the event of a cyberattack.

The era of HIPAA enforcement has begun.

  • HIPAA regulators entered into more settlements in the past year than they have over the entire life of HIPAA combined.
  • Provider organizations are not the only entities in the cross-hairs – regulators are focusing enforcement attention on business associates.
  • HIPAA regulators imposed more than $24 Million in penalties in 2016, and are on track to impose more than $65 Million in penalties in 2017.

Federal regulators are losing patience with organizations that have not conducted thorough security risk analysis.

  • Some of the largest penalties and corrective action plans of 2016 involved organizations that did not complete a risk analysis – or conducted one that was incomplete.
  • And those 40% of internet connected devices you don’t know about? Regulators are on record saying that they expect organizations to inventory their internet-connected devices and that they must include those in the organization’s risk assessment.